CIPHER is a Capture The Flag-style exercise in IT security for
teams of students from universities. The task is to maintain a server
running multiple services, while simultaneously trying to get unauthorized access to
the other team's servers. Each successful penetration gains points, as
well as keeping the own services up and functional during the course of the game.

Description

The exercise consists of multiple teams, each hosting a server that has
multiple services running, like e.g. a webserver, a mail server, or
customized services. The services contain typical security vulnerabilities
that allow to compromise the server to a certain extend.

The goal is to maintain the services up, functional and uncompromised
for the duration of the game. Additional scores can be gained by
patching the vulnerabilities of the services and exploiting the knowledge
of the found weaknesses at the other team's servers.

The focus of the exercise is on application layer security.

Organisational Details

Note that the contest is over.

The exercise is scheduled for July 14th, 2006. It will
start at 8am CEST and last until 4pm CEST (GMT+2, UTC+2).

Only complete teams of up to 5 students from a single university
are allowed to sign up. The limit is hard and includes everybody
actively participating in defense and offense.

Each team needs to have a contact person that does not actively
take part in the exercise and is responsible for the team's ethical behaviour.

Each team needs to have a contact person that is responsible for
technical stuff, esp. the VPN connection and the machine setup. This
person should answer to emails within 8 to 10h or faster. Presence in
the IRC or Instant Messenger are a plus.

Professionals should contact us, before subscribing. Please note that we will
reserve the majority of slots for university teams. If room remains, any groups can
apply for the remaining slots.

These teams have already pointed out their interest to the contest:

Affiliation

Note

Ruhr University Bochum, Germany

confirmed, 2 teams, university slot

RWTH Aachen, Germany

confirmed, 2 teams, university slot

nCircle Canada

1 team, corporation slot

Technical University of Darmstadt, Germany

confirmed, 2 teams, university slot

Katholieke Universiteit Leuven

confirmed, 1 team, university slot

University of Berlin

confirmed, 1 team, university slot

University of Cologne

confirmed, 1 team

University of La Plata, Argentinia

confirmed, 1 team, university slot

University of South Florida

confirmed, 1 team, university slot

BUSLab, Brno, Czech republic

confirmed, 1 team, university slot

Politecnico di Milano, Italy

confirmed, 1 team, university slot

University of Hamburg, Germany

confirmed, 1 team, university slot

Naval Postgraduate School, Monterey

confirmed, 1 team, university slot

Niederrhein University of Applied Sciences, Krefeld, Germany

confirmed, 1 team, university slot

Universita degli Studi di Milano

confirmed, 1 team, university slot

University of Regensburg

confirmed, 1 team, university slot

University of Jos, Nigeria

University of Nebraska at Omaha, USA

The timeline of the event is as follows:

Date and Time

Event

as early as possible

each team sets up its VPN and the test image according to the instructions

7/13, 20:00 CEST

distribution of the encrypted VMWare image

7/14, 08:00 CEST

all teams should have their VPNs running to check pairwise connectivity
(please don't block pings!)

7/14, 09:00 CEST

the key to the encrypted image is published in the IRC and by e-mail.
The game starts :-)

7/14, 10:00 CEST

the score bot starts checking for services

7/14, 16:00 CEST

the exercise is over, declaration of the winning team

Technical Details

The contest will consist of multiple teams, each hosting a server that has multiple services running,
like e.g. a webserver, a mail server, or customized services. The services contain typical security
vulnerabilities that allow to compromise the server to a certain extend.

We recommend to use two different host systems for routing and the vulnerable image due to robustness
reasons. The router, i.e. a team's gateway, can be any kind of hardware - any machine with two network
interfaces will do the job. Note that this machine should still be able to run at least one instance of
openvpn. The host machine carrying the vulnerable image should have at least 1GHz and 512MB of RAM, more
is preferred, and at least 1GB of RAM is recommended. If the VMWare image will run on the gateway,
the box should have at least 1.5GHz and 1GB RAM minimum. In addition to these two machines every player
will need a terminal to access the services of their own server and the other teams' servers. Whatever
the students can work with, will suffice here.

For local participation only (at the conference): there's internet access with enough bandwidth, tables
and seats. You'll have to bring with you: a LAN-switch, network cables, power cords and computers as
described above.

The VMWare image will be for x86-architecture with 32bit.

For CIPHER2 we plan add an additional server to the game which will serve the same services as the
other servers. In contrast to the team servers, this one will not be maintained by players but
serve as a target without an defending team.